[Systems] Fwd: [MediaWiki-announce] Security Release: 1.26.1, 1.25.4, 1.24.5 and 1.23.12

bernie at codewiz.org bernie at codewiz.org
Fri Dec 18 09:38:53 EST 2015




-------- Original Message --------
From: Chad <innocentkiller at gmail.com>
Sent: December 17, 2015 7:25:59 PM EST
To: "mediawiki-announce at lists.wikimedia.org" <mediawiki-announce at lists.wikimedia.org>
Subject: [MediaWiki-announce] Security Release: 1.26.1, 1.25.4,	1.24.5 and 1.23.12

I would like to announce the release of MediaWiki 1.26.1, 1.25.4, 1.24.5,
and
1.23.12.

These releases fix five security issues in core, in addition to other bug
fixes. Download links are given at the end of this email

== Security fixes ==

(T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
that
do not begin with a slash. This enabled trivial XSS attacks. Configuration
values such as "http://my.wiki.com/wiki/$1" are fine, as are "/wiki/$1". A
value such as "$1" or "wiki/$1" is not and will now throw an error

(T119309) SECURITY: Use hash_compare() for edit token comparison

(T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
with
'@' as file uploads

(T115522) SECURITY: Passwords generated by User::randomPassword() can no
longer
be shorter than $wgMinimalPasswordLength

(T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
result in improper blocks being issued

(T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
and
related pages no longer use HTTP redirects and are now redirected by
MediaWiki

== Note about EOL of 1.24.x ==

Please note that 1.24.5 marks the end of support for the 1.24.x series of
releases. Technically this ended a few weeks ago with the release of 1.26.0
but
we dropped one final release of 1.24.x here to give it a nicer send off for
those who have not yet upgraded.

== Release notes ==

Full release notes for 1.26.1:
<https://www.mediawiki.org/wiki/Release_notes/1.26>

Full release notes for 1.25.4:
<https://www.mediawiki.org/wiki/Release_notes/1.25>

Full release notes for 1.24.5:
<https://www.mediawiki.org/wiki/Release_notes/1.24>

Full release notes for 1.23.12:
<https://www.mediawiki.org/wiki/Release_notes/1.23>

For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>

**********************************************************************
   1.26.1
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.1.tar.gz
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-core-1.26.1.tar.gz

Patch to previous version:
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.1.patch.gz
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-i18n-1.26.1.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.1.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.1.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-core-1.26.1.tar.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
   1.25.4
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.4.tar.gz
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-core-1.25.4.tar.gz

Patch to previous version:
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.4.patch.gz
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-i18n-1.25.4.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.4.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.4.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-core-1.25.4.tar.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
   1.24.5
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-1.24.5.tar.gz
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-core-1.24.5.tar.gz

Patch to previous version:
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-1.24.5.patch.gz
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-i18n-1.24.5.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-1.24.5.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-1.24.5.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-core-1.24.5.tar.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
   1.23.12
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.12.tar.gz
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-core-1.23.12.tar.gz

Patch to previous version:
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.12.patch.gz
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-i18n-1.23.12.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.12.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.12.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-core-1.23.12.tar.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

-Chad H. & Chris S.
_______________________________________________
MediaWiki announcements mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sugarlabs.org/archive/systems/attachments/20151218/49e463c2/attachment.html>


More information about the Systems mailing list